## RSA ZKP (Non-interactive)

In [1]:
import math
import random

from __future__ import print_function

import sys

def debug(expressions):
    frame = sys._getframe(1)
    for expression in expressions.split():
        print(expression, '=', repr(eval(expression, frame.f_globals, frame.f_locals)))

def debug_s(expressions):
    frame = sys._getframe(1)
    for expression in expressions.split(','):
        print(expression.strip(), '=', repr(eval(expression, frame.f_globals, frame.f_locals)))

### Protocol

Prover (P) 🧑‍🚀 ⇨ 👮 Verifier (V)

* Private: [m]
* Public: (N, e, c)

In [2]:
class Private:
    
    def __init__(self, m):
        self.m = m

prv = Private(88)
vars(prv)

{'m': 88}

In [3]:
class Public:

    def __init__(self, N, e, m):        
        self.N = N
        self.e = e
        self.c = m ** e % N
    
pub = Public(2430101, 9007, prv.m)
vars(pub)

{'N': 2430101, 'e': 9007, 'c': 160613}

In [4]:
class Request:

    def __init__(self, x1, x2):
        self.x1 = x1
        self.x2 = x2

class Prover:

    @staticmethod
    def send():
        r1 = random.randint(0, pub.N)
        r2 = prv.m * pow(r1, -1, pub.N) % pub.N

        debug('r1 r2')

        x1 = r1 ** pub.e % pub.N
        x2 = r2 ** pub.e % pub.N

        debug('x1 x2')

        return Request(x1, x2)
    
class Verifier:
    
    @staticmethod
    def recv(request):
        return request.x1 * request.x2 % pub.N == pub.c

Verifier.recv(Prover.send())

r1 = 1655681
r2 = 1878284
x1 = 1896463
x2 = 441681


True

### Attack

Attacker (A) 🥷 ⇨ 👮 Verifier (V)

In [5]:
class Attacker:
    
    @staticmethod
    def send():
        r = random.randint(0, pub.N)
        v1 = pub.e * pow(r, -1, pub.N) % pub.N
        x = pub.c * pow(pub.e, -1, pub.N) % pub.N
        v2 = x * r % pub.N

        debug('r x')
        debug('v1 v2')

        return Request(v1, v2)

Verifier.recv(Attacker().send())

r = 1293157
x = 2031892
v1 = 1602131
v2 = 1366491


True